From 8e4c57a93addea88c7881e21824d4c3b53532e3e Mon Sep 17 00:00:00 2001
From: knight <gitea@ghost.tel>
Date: Thu, 8 Jan 2026 14:53:44 -0500
Subject: [PATCH] Security: add security headers, CSP, request size limits

---
 search_app.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/search_app.py b/search_app.py
index e74dbc8..f01a2ba 100644
--- a/search_app.py
+++ b/search_app.py
@@ -938,6 +938,23 @@ def build_full_graph_payload(
 
 def create_app(config: AppConfig = CONFIG) -> Flask:
     app = Flask(__name__, static_folder=str(Path(__file__).parent / "static"))
+    app.config['MAX_CONTENT_LENGTH'] = 1 * 1024 * 1024
+
+    @app.after_request
+    def add_security_headers(response):
+        response.headers['X-Frame-Options'] = 'DENY'
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        response.headers['Permissions-Policy'] = 'geolocation=(), microphone=(), camera=()'
+        response.headers['Content-Security-Policy'] = (
+            "default-src 'self'; "
+            "script-src 'self' https://cdn.jsdelivr.net https://unpkg.com; "
+            "style-src 'self' 'unsafe-inline' https://unpkg.com; "
+            "img-src 'self' data: https:; "
+            "font-src 'self' https://unpkg.com; "
+            "connect-src 'self'"
+        )
+        return response
+
     client = _ensure_client(config)
     index = config.elastic.index
     qdrant_url = config.qdrant_url